After a quick search, from the documentation, section Adding a Local Disk
Autopsy User Documentation: Data Sources :
Autopsy can analyze a local disk without needing to first make an image copy of it. This is most useful when analyzing a USB-attached device through a write blocker.
Note that if you are analyzing a local disk that is being updated, then Autopsy will not see files that are added after you add it as a data source.
You will need to be running Autopsy as an Administrator to view all devices.
Exactly. Since snap are well known troublemakers packages and Autopsy isnāt available through regular repositories or flathub, I didnāt find a specific non invading method for openSUSE in order to get Autopsy root only and not the entire system session. Also, when I run this program from the icon, it doesnāt show up the useful root password like, for example, Core Control does at my startup. When I try to run Autopsy from Terminal (Super User) it shows that messages:
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/boot /boot none bind,ro 0 0): permission denied
mkdir: cannot create directory ā/run/user/0ā: Permission denied
Starting Autopsyā¦
/snap/autopsy/3/autopsy/bin/ā¦/platform/lib/nbexec: line 41: cd: /home/carlo: Permission denied
/snap/autopsy/3/autopsy/bin/ā¦/platform/lib/nbexec: line 41: cd: /home/carlo: Permission denied
/snap/autopsy/3/autopsy/bin/ā¦/platform/lib/nbexec: WARNING: environment variable DISPLAY is not set
WARNING: Unknown module: javafx.base specified to --add-exports
WARNING: Unknown module: javafx.controls specified to --add-exports
WARNING: Unknown module: javafx.controls specified to --add-opens
Temp Folder for Libraries: /root/snap/autopsy/common/tmp
SleuthkitJNI: loaded libtsk_jni
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.netbeans.TopSecurityManager (file:/snap/autopsy/3/autopsy/platform/lib/boot.jar)
WARNING: Please consider reporting this to the maintainers of org.netbeans.TopSecurityManager
WARNING: System::setSecurityManager will be removed in a future release
I see so your issue is more related to snap than Autopsy itselfā¦
I donāt use snap myself but reading the documentation of it I think you could try to add the permission to view the list of disks to Autopsy
There is a system-files interface for example, but on the documentation page for it it state :
- paths in
/dev
, such as/dev/sda1
Access to/dev
device nodes requires both AppArmor policy and device control group inclusion, but the system-files interface does not have enough information to generate the necessary policy to enable these use cases. As such, purpose-specific interfaces should be used instead, such as block-devices or raw-volume.
So maybe you will need block-devices or raw-volume interface, it could be it ā¦ worth a tryā¦
@Citizen839X run/install from the zip file?
Do you mean from github version?
@Citizen839X yes, it has an installer scriptā¦
I have no idea where to start with git. How to easily install from git? Can I use GitHub Desktop (flatpak) to install Autopsy Git version?
@Citizen839X The Tags tab ā download link ā scroll down to Assets;
https://github.com/sleuthkit/autopsy/releases/tag/autopsy-4.21.0
Grab the zip fileā¦
Ok, after downloaded the zip file Iāve extracted the contentā¦what now?
cd autopsy-4.21.0
autopsy-4.21.0> sh unix_setup.sh
Ok, according to Dolphin File Manager, once unzipped the content, Iāve opened the folder and then gave the āopen terminal hereā command (shift+F4) ā¦ then :
~/Downloads/autopsy-4.21.0 ~/Downloads/autopsy-4.21.0
Checking for PhotoRecā¦Checking for Javaā¦found in /usr/lib64/jvm/jre-openjdk
Checking for Sleuth Kit Java bindingsā¦ERROR: sleuthkit-4.12.1.jar not found in /usr/share/java/, /usr/local/share/java/, or the environment variable: āTSK_JAVA_LIB_PATHā: āā.
Please install the Sleuth Kit Java bindings file.
See Releases Ā· sleuthkit/sleuthkit Ā· GitHub.
carlo@localhost:~/Downloads/autopsy-4.21.0>
It seems I need a Sleuth Kit, so I found here - Releases Ā· sleuthkit/sleuthkit Ā· GitHub - and followed the same procedure, but another issue came ā¦
~/Downloads/sleuthkit-sleuthkit-4.12.1> sh travis_install_libs.sh
- installLib libvhdi 20201204
- wget https://github.com/libyal/libvhdi/releases/download/20201204/libvhdi-alpha-20201204.tar.gz
ā2024-02-02 20:53:07-- https://github.com/libyal/libvhdi/releases/download/20201204/libvhdi-alpha-20201204.tar.gz
Resolving github.com (github.com)ā¦ 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443ā¦ connected.
HTTP request sent, awaiting responseā¦ 404 Not Found
2024-02-02 20:53:08 ERROR 404: Not Found.
Damn!
Last update: Iām totally hanged, Sleuth Kit Java bindings are required, and it seems they are available in .deb package only.
If you still want to try to make autopsy snap version work there are documentation for it including a chapter for your issue with accessing local disks.
From autopsy/snap/README.md at develop Ā· sleuthkit/autopsy Ā· GitHub
Installing Snap
An Autopsy snap package file can be installed by running
sudo snap install --dangerous autopsy.snap
. The--dangerous
needs to be specified because the snap package isnāt signed (see install modes for more information). By default, snap doesnāt allow certain interactions with the operating system. These Super-privileged connections may need to be connected. This can be done manually by runningsnap connections autopsy
to determine any missing connections, and then runningsnap connect autopsy:home
replacinghome
with the name of the plug. Another option is to run this script, which will connect all missing plugs:snap connections autopsy | sed -nE 's/^[^ ]* *([^ ]*) *- *- *$/\1/p' | xargs -I{} sudo snap connect {}
. One other possible option may be to install the application with--devmode
instead of--dangerous
. The--devmode
flag is more permissive and will allow all connections to the operating system. More information on interface management can be found at the snapcraft website.
And ā¦
There are no local disks for processing
Autopsy looks at the block devices in the
/dev
directory for local disks to process. If autopsy canāt read block devices in that directory, it wonāt show the local disk. In most instances, starting autopsy with a command likesudo -g disk autopsy
should give autopsy the right permissions to view local disks. This assumes that thedisk
group has read rights to local disks (i.e./dev/sda1
). Appropriate permissions can be determined by running something likels -l /dev
looking for the permissions required for the local disks. Then autopsy should be started in such a way that the$USER
and$HOME
are preserved (i.e. running as root may be problematic), but the user account and, consequently, autopsy, has sufficient permissions to access local disk block devices.
Also it seams that there is a sleuthkit package available in the official repo, if that can helpā¦
This software is very problematic. I followed the snap installation with --devmode, checked the apparmor setting after a reboot (created a profile automatically) and thenā¦it freezes at loading screen (wrap).
I was just looking for a damn software that is able to give me a report exported in Excel after the scanning & recover of previously formatted sectors. To be honest, if this is so much pain, better stick to a simple one like QPhotoRec that does the basic job and is able to recover lost data just fine.
Thanks anyway.